Download Word - Melbourne Policy Framework

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Piggybacking (Internet access) wikipedia , lookup

Net bias wikipedia , lookup

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

TV Everywhere wikipedia , lookup

Service-oriented architecture implementation framework wikipedia , lookup

Transcript
Provision and Acceptable Use of IT Policy (MPF1314)
1. Objectives
The objectives of this policy are to:
(a) outline the principles that apply to the management and use of computing and network
facilities across the University;
(b) support efficient University processes and enhance staff and student experience with IT
tools;
(c) define the expectations of users of University information technology systems and
restrictions on use; and
(d)
provide authority for the University to investigate and act on allegations of misuse.
2. Scope
2.1. This policy applies to the provision of, and all users of, University information technology
services, equipment and connectivity, including:
(a)
students;
(b)
staff;
(c)
honoraries;
(d)
contractors and consultants; and
(e)
visitors.
2.2. This policy applies to all uses of University networks or connectivity services including
using a user-owned device to connect to the system.
3. Authority
This policy is made under the University of Melbourne Act 2009 (Vic) and the Vice-Chancellor
Regulation.
4. Policy
Provision of University information technology
4.1. University computing and network facilities support and enable research, learning and
teaching, and engagement, through provision of cost-effective world class infrastructure and
customer services.
4.2. Computing and network facilities and related services are responsive to the needs of
students and staff.
Page 1 of 10
4.3. Environmental impact is a key consideration in selecting and deploying computing solutions
for the University.
4.4. University computing and network facilities complement and inter-operate with other
information technology in the lives of students and staff.
Use of University information technology
4.5. All users of University information technology services, equipment and connectivity are
expected to use these facilities and services in an appropriate and responsible manner.
4.6. It is the responsibility of authorised users of information technology services, equipment
and connectivity to make themselves aware of the University’s policies, terms and conditions of
use and processes related to information technology, and to conduct their activities accordingly.
4.7. Users may be exempt from aspects of this policy where it is required for their role, studies
or research. Written permission from the head of the relevant division and the Executive Director,
Infrastructure Service must be obtained.
4.8.
Users must not misuse University computing or network facilities.
4.9. Users who are alleged to have misused University information technology services,
equipment and connectivity are subject to investigation and, if misuse is established, will have
penalties applied, as detailed in this policy.
Compliance with law and policy
4.10. All use and management of University computing and network facilities must be
consistent with relevant law and other University policies, including the Information Security
Policy, Privacy Policy and Records Management Policy.
4.11. To the extent allowed by law, the University is not liable for loss, damage, or consequential
loss or damage, arising directly or indirectly from:
(a)
use or misuse of any facilities;
(b) loss of data or interference with data stored on any facilities;
(c)
interference with or damage to equipment used in conjunction with any facilities; or
(d) any acts taken or decisions made not in accordance with this or any other policy.
5. Procedural principles
University provision of services
5.1. Infrastructure Services, in collaboration with stakeholder representatives including
representatives of each division, develops and maintains appropriate IT standards.
5.2. Infrastructure Services supports IT environments which are consistent with agreed
standards.
5.3.
Support for non-standard environments may be subject to additional charges.
Page 2 of 10
5.4. The University does not necessarily provide user support or funding for software licensing
for a proposed non-standard use of facilities.
5.5. The IT Product and Services Catalogue specifies which products and services are common
products or services.
5.6. The IT Product and Services Catalogue must include the following components of the lifecycle cost of IT products:
(a) initial cost;
(b) maintenance and ongoing costs, including energy and consumables;
(c) disposal costs including packaging; and
(d) environmental impact.
5.7. Divisions must not make purchases or commitments which have the effect of hindering or
preventing transition to common IT products and services.
Provider powers and responsibilities
5.8. Providers are expected to offer their services in a professional manner with appropriate
efficiency, reliability and security, considering the needs of their own users and wider user
communities within and beyond the University. Staff of providers must be properly qualified and
appropriately trained.
5.9. Providers must impose appropriate security controls on access to facilities under their
control, including on usernames, passwords and other authentication methods.
5.10. Providers must take reasonable steps to ensure that their officers, employees and agents
use facilities only for authorised purposes and do not use facilities in a way that constitutes
misuse.
5.11. Providers and their officers, employees and agents must not access information stored on
or passing through facilities unless that information is required for the proper performance of their
duties.
5.12. Providers must maintain and retain for at least six months a record of users who have
used facilities under their control and may use those records for purposes such as monitoring and
managing the performance of facilities, cost recovery and load management.
5.13. The Executive Director, Infrastructure Services may request that providers furnish records
for the purposes of investigating alleged misuse of facilities, and providers must comply with any
such requests.
5.14. Providers may, without prior notice, suspend or withdraw any service or the access of any
user to facilities, for:
(a)
maintenance and upgrading of facilities;
(b)
preventing misuse of facilities;
Page 3 of 10
(c)
preserving files or data; or
(d) other purposes that the provider considers necessary to maintain or improve the operation,
integrity or security of any facilities.
5.15. Providers may impose and collect proper charges for the use of facilities under their
control or the provision of related services.
5.16. Providers must obtain approval from the Executive Director, Infrastructure Services for
any computer or network naming or numbering system, or management practice, which has an
impact beyond the facilities under the control of the provider.
Privileges and responsibilities of users
5.17.
Facilities may be used only for authorised purposes.
5.18. No user may engage in any act or practice, or omit to do any act or practice, which
constitutes a misuse of any of the facilities.
5.19. Any use of facilities which incurs a charge from a provider must be approved by the
provider, and if applicable, also by the organisational unit which will be paying the charge.
5.20. Any user who becomes aware that facilities are being used by any person to infringe the
intellectual property rights of another person, or that the effect of any use of any facilities is to
infringe such rights, must notify the University copyright officer immediately.
5.21. Any user who becomes aware that facilities are being used by any person to infringe the
privacy rights of another person, or that the effect of any use of any facilities is to infringe such
rights, must notify the University privacy officer immediately.
Misuse
5.22. Use for any purpose other than an authorised purpose is considered to be misuse, for
example:
(a) use that causes or contributes to a breach of any provision of a law, statute, regulation,
subordinate instrument, or code of practice or conduct applying to the University or to which users
are subject;
(b) use that contravenes a University statute, regulation, rule or terms and conditions, policy or
process;
(c)
creating, transmitting, storing, downloading or possessing illegal material;
(d) the deliberate or reckless creation, transmission, storage, downloading, or display of any
offensive or menacing images, data or other material, or any data capable of being resolved into
such images or material, except in the case of the appropriate use of facilities for properly
supervised University work or study purposes;
(e)
use which constitutes an infringement of any intellectual property rights of another person;
(f)
communications which would be actionable under the law of defamation;
Page 4 of 10
(g) communications which misrepresent a personal view as the view of the University, including
unauthorised use of the University crest;
(h)
deliberate or reckless undertaking of activities resulting in:
i. the imposition of an unreasonable burden on a University facility;
ii. corruption of or disruption to data on a University facility, or to the data of another person;
iii. disruption to other users; and/or
iv. introduction or transmission of a virus into the facilities.
Specifically prohibited activities
5.23.
Users may not:
(a) circumvent user authentication or access control measures, security or restrictions on the
use of any facilities or account, including the unauthorised distribution or use of tools for
compromising security;
(b) engage in gambling on‐ line, other than participation in approved football‐ tipping and like
competitions, where the primary purpose is social rather than financial;
(c)
engage in unauthorised reserving of, or exclusion of others from using, any facilities;
(d) use any facilities for the purposes of any private business whether for profit or not, or for any
business purpose other than University business, without prior approval from the division head; or
(e) make any use of IT facilities which, while lawful, contravenes the intent of section 5.23 and
appears in the list of terms and conditions of use, as approved and amended from time to time by
the Executive Director, Infrastructure Services.
Removal of material
5.24. A provider may at any time, without prior notice, remove or disable access to any material
stored on or accessible via any facilities which it considers constitutes or may constitute, or be in
furtherance of, misuse or possible misuse of any facilities.
5.25. Without limiting 5.24, a provider may at any time, without prior notice, remove or disable
access to any material stored on or accessible via any facilities which it considers infringes or
may infringe the intellectual property rights of any person.
5,26. Where a person is aggrieved by a decision to remove or disable access to material under
this section:
(a) they may provide to the Executive Director, Infrastructure Services a written submission in
response to the decision;
(b) the Executive Director, Infrastructure Services, or delegate, must consider any such
submission and investigate the matter and decide, as soon as practicable, whether to uphold,
revoke or alter the decision, and advise the aggrieved person of that decision; and
Page 5 of 10
(c) in making a decision, the Executive Director, Infrastructure Services, or delegate, must have
regard to the purpose of this policy and the interests of the University.
5.27. Any action taken under clauses 5.24–5.26 must take into account any relevant
requirements of the Privacy Policy or Records Management Policy.
Investigation
5.28. In this section, ‘investigator ’ means an authorised representative of a provider or the
Executive Director, Infrastructure Services, or delegate.
5.29. If an investigator considers that an allegation of misuse which is brought to their attention
would, if substantiated, constitute a significant and unacceptable abuse of any facilities, then they
must do one of the following:
(a)
investigate the allegation under this section; or
(b) if the investigator is a person other than the Executive Director, Infrastructure Services, refer
the allegation to the Executive Director, Infrastructure Services for investigation under this
section; or
(c) if the user is a student, refer the allegation to be dealt with as an allegation of general
misconduct under the Student General Misconduct Policy; or
(d) if the user is a member of staff, recommend that the allegation be dealt with under the
Appropriate Workplace Behaviour Policy or other relevant procedures or policies; or
(e)
recommend that the allegation be dealt with under the provisions of any applicable contract.
5.30. An investigator may, at their discretion, investigate or refer any other allegation of misuse
which is brought to their attention.
Outcomes of investigation - reporting
5.31. If, as a result of an investigation under 5.29, an investigator is satisfied on the balance of
probabilities that misuse of any facilities has taken place, they must:
(a) prepare a written report setting out particulars of the misuse and of the investigation
undertaken, and any action taken by the investigator;
(b) if the investigator is a person other than the Executive Director, Infrastructure Services,
provide a copy of that report to the Executive Director, Infrastructure Services;
(c) if the investigation concerned alleged misuse of a facility, and the investigator does not have
the role with responsibility for that facility, provide a copy of the report to that relevant role;
(d) if the allegation of misuse was made against a member of staff or an honorary, provide a
copy of that report to the Vice-Principal, Administration and Finance & CFO and the Executive
Director, Human Resources & OHS; and
(e) if the allegation of misuse was made against a student, provide a copy of that report to the
Academic Registrar.
Page 6 of 10
Outcomes of investigation - penalties
5.32. If, as a result of an investigation under 5.30, an investigator is satisfied on the balance of
probabilities that there has been misuse of any facilities by any staff user, they may, at their
discretion, do one or more of the following:
(a)
decide to take no further action on the alleged misuse;
(b) counsel the user on appropriate use of the facilities;
(c) if the user is a student, recommend that the allegation be dealt with as an allegation of
general misconduct under the Student General Misconduct Policy;
(d) if the user is a member of staff, recommend that the allegation be dealt with under the
Appropriate Workplace Behaviour Policy or other relevant procedures or policies;
(e) if the user is an external user, recommend that the allegation be dealt with under applicable
provisions of any contract or otherwise as determined by the Vice-Principal, Administration and
Finance & CFO, or Head, University Services;
(f) decide to suspend or withdraw any service or the access of any user to any facilities, except
that where the user is a student and access to facilities is necessary for the student to continue
their studies, the decision can be made only with the approval of the Academic Registrar or
delegate, or pursuant to the penalty provisions in the Academic Board Regulation following
investigation of the allegation;
(g) require the user to indemnify or compensate the University or a provider for the reasonable
loss and damage occasioned by reason of the misuse; or
(h) if the misuse results in a breach of privacy, refer to the relevant privacy breach process.
User responses and appeals
5.33.
Where a decision has been made regarding an allegation of misuse:
(a) the investigator must notify the affected user, in writing, as soon as practicable, of the
decision, with reasonable particulars, and of the right of appeal; and
(b) the investigator must provide the Executive Director, Infrastructure Services with a copy of
the notice as soon as practicable or, if the investigator is the Executive Director, Infrastructure
Services, they must provide the notice to the role in charge of the local facility, if relevant.
5.34.
If the affected user is a staff member:
(a) the affected user may, within seven days of receiving the notice, provide to Executive
Director, Infrastructure Services, or, in the case of the Executive Director, Infrastructure Services
being the investigator, provide to the Vice-Principal, Administration and Finance & CFO a written
submission in response to the decision;
(b) the Executive Director, Infrastructure Services or the Vice-Principal, Administration and
Finance & CFO, as appropriate, must consider the decision and such submission in response
and decide, within seven days of receipt, whether to uphold, revoke or alter the decision, and
advise the affected user of his or her decision as soon as practicable; and
Page 7 of 10
(c) a decision by the Executive Director, Infrastructure Services or Vice-Principal, Administration
and Finance & CFO, or delegate is final. Where an allegation of misuse has been made against a
member of staff or an honorary, the Executive Director, Human Resources & OHS, or delegate,
will be consulted before making a decision if practicable to do so.
5.35. If the affected user is a student, the student must be referred to the Student Appeals to
the Academic Board Policy and associated process and advised of their right to present an
appeal under that policy.
6. Roles and responsibilities
Role/Decision/Action
Use all IT facilities appropriately, lawfully and in
compliance with this and other relevant policies and
rules of the University
Provide reliable, secure access to the IT services or
facilities in their control
Responsibility Conditions and limitations
Users
Providers
Ensure they and their staff do not access data or
information passing through the system except as
required by policy, rule or law
Perform all required maintenance on systems, including
imposing restrictions on use to facilitate maintenance
Obtain approval from the
director (information
technology) for any
computer or network
naming or numbering
system, or management
practice, which has an
impact beyond the
facilities under the control
of the provider
Investigate, or cause to have investigated, allegations of
system misuse
Impose penalties or refer to other disciplinary processes
if misuse is substantiated
Report on all investigations to the director (information
technology)
Consider provider requests for non-standard numbering Executive
or naming systems and give or deny permission
Director,
Infrastructure
Services, or
Establish, publish and maintain IT standards which
delegate
prescribe standard services
Establish, and publish, conditions of information
technology system use
Investigate, or cause to have investigated, allegations of
system misuse
Impose penalties or refer to other disciplinary/breach
processes if misuse is substantiated
Hear submissions from users who have been found to
have committed misconduct in an investigation by the
director (information technology)
Determine whether the decision of the Executive
Director, Infrastructure Services should be upheld,
Where an allegation of
misuse has been made
against a member of staff
or an honorary, the
Executive Director,
Human Resources &
OHS, or delegate, must
be consulted before
making a decision if
practicable to do so
Vice
Where an allegation of
Chancellor or misuse has been made
delegate
against a member of staff
or an honorary, the
Executive Director
Human Resources &
Page 8 of 10
modified or reversed
OHS, or delegate, must
be consulted before
making a decision if
practicable to do so
7. Definitions
Authorised use means purposes associated with work or study in the University, provision of
services to or by the University, which are approved or authorised by the relevant officer or
employee of the University in accordance with University policies and procedures or pursuant to
applicable contractual obligations, limited personal use, or any other purpose authorised by the
relevant authority.
Computing and network facilities means computers, computer systems, data network
infrastructure, dial‐ in network access facilities, email and other communications and information
facilities together with associated equipment, software, files and data storage and retrieval
facilities, all of which are owned or operated by the University and form part of the central facilities
or the local facilities.
External provider means an external entity that provides computing and network facilities to the
University.
Provider means the University division which provides and manages any part of the facilities.
User means any member of staff or a student, or any other person, who is authorised to use the
central facilities or a local facility, including a provider and any officer, employee or agent of a
provider.
POLICY APPROVER
Vice-Chancellor
POLICY STEWARD
Executive Director, Infrastructure Services
REVIEW
This policy is to be reviewed by 2 June 2021.
VERSION HISTORY
Version Authorised by
1
Vice-Chancellor
Approval Date Effective Date Sections modified
2 June 2016
21 July 2016
New policy arising from the review of
Consolidation Project. This policy and
8.3.R2 Computing and Network Facil
Support Policy (MPF1121), Email Ba
Procedure (MPF1125) and Provision
Page 9 of 10
2
Executive Director, Infrastructure
Services
8 December
2016
8 December
2016
Editorial amendment, incorporating n
Policy (MPF1328).
Page 10 of 10